11.04
2
3- The fixing of the silly memleak introduced a bug that could cause
4  crashes on some systems, fixed. Thanks to Jukka Anttonen for reporting
5  it.
6
71.03
8
9- At least one ftpd can't handle PROT before USER, this is (unfortunately)
10  allowed by the TLS FTP spec so handle it properly.
11
12- The debug mode crashed on Linux and probably some other OSes.
13
14- It now is possible to build a version for Windows 9x/ME (which does not
15  have the possibility to run as a service). This is the first version
16  ever to work properly on this platform, as the old Cygwin version
17  didn't work on 9x.
18
19- Improved the error handling for connection resets in the TLS handshake.
20
21- Improved the error handling for connection attempts blocked by software
22  firewalls in Windows.
23
24- Fixed a silly memleak.
25
261.02
27
28- Minor HP-UX fixes (UNIX95 vs UNIX98 vs current).
29
30- Fixed detection of recent versions of the Intel compiler on Linux, to
31  prevent a strange compilation error on Itanium systems.
32
33- A small fix to work with the recently released OpenSSL 0.9.8.
34
35- Since OpenSSL 0.9.8 supports 64-bit Windows (x64 and IA64), TLSWrap also
36  does:
37
38  I have provided an installer for Windows x64, just like for the normal x86
39  version. The installer is unfortunately 32-bit for now, but everything
40  else is 64-bit. The included OpenSSL DLLs are compiled with the Intel C++
41  Compiler 9.0 for EM64T and should in many cases have superior performance
42  compared to the 32-bit versions (I get twice the speed with AES on my EM64T
43  CPU, but the performance will vary with algorithm and CPU type).
44
45  I found a bug in OpenSSL 0.9.8 that broke DES encryption when using the
46  latest Intel compiler. The included DLL's have this fix applied and the
47  next official version of OpenSSL 0.9.8 will also have this fix.
48
491.01
50
51- Fixed a bug in the startup code that could randomly prevent it from loading
52  on Windows XP Pro x64 edition (and theoretically on other Windows versions).
53
54- The Configuration Manager should not start if the TLSWrap service is not
55  installed, fixed. Improved some error messages.
56
571.00
58
59- Added support for active FTP (i.e. PORT and EPRT modes).
60
61- Added support for user certificates/certificate chains. To use this
62  feature, start TLSWrap with -P <path_of_user_certificate_directory> (or if
63  using the Windows service, with the configuration manager). After this,
64  TLSWrap will try to use <server-IP>.pem from the user certificate
65  directory.
66
67  The certificates must be in PEM format and must be sorted starting with the
68  subject's certificate (actual client certificate), followed by intermediate
69  CA certificates if applicable, and ending at the highest level (root) CA.
70
71- The TLSWrap Configuration Manager for the Windows service now supports
72  managing user certificates in addition to server certificates.
73
74- It is now possible to add and delete certificates using the buttons in the
75  TLSWrap Configuration Manager. It is also possible to rename a certificate
76  by clicking on its file name in the list. Also misc. improvements to the
77  certificate handling.
78
790.9
80
81- Added a GUI configuration tool and a tray monitor for the Windows version.
82
83- Fixed the error handling for DNS errors. TLSWrap now gives a "530 Could not
84  resolve hostname." error and it is possible to start over with a new USER
85  string without reconnecting.
86
87- Fixed a bug and a portability issue in the connection routines handling
88  refused connections.
89
90- Passive TCP ports below 256 were not handled correcly, reported with patch
91  by Christoph Hackman. It is unlikely that anyone was affected unless they
92  patched their ftpd to use privileged ports to get around their ISPs
93  throttling of higher ports.
94
95- It was not possible to change the token defaults anymore, fixed.
96
97- Added PKI support and a number of "security modes" to control it:
98  ---------------------------------------------------------------------------
99  0 - No certificate verification is done. (Default for now.)
100
101  1 - Relaxed whitelisting
102      --------------------
103      On the first connection to a server, its certificates (control and
104      data connections are treated separately, for quite obvious reasons), will
105      will be saved in the certs dir (see below) as <server-IP>-<data/ctrl>.pem.
106
107      On subsequent connections, TLSWrap will verify the stored certificates
108      against those presented by the server. If the control connection
109      certificate doesn't match, tlswrap will say "530 TLSWrap certificate
110      verification failed, disconnecting." and disconnect. If the data
111      certificate doesn't match, it will print "425 TLSWrap data certificate
112      verification failed.", the data transfer will be aborted but TLSWrap will
113      stay connected with the server.
114
115      No other checks (such as expiration dates, CRLs, CAs) will be made on
116      the certificates.
117
118  2 - Strict whitelisting
119      -------------------
120      Identical to mode 1 above, but with the difference that no new
121      certificates will be added. If TLSWrap can't find certificate file(s)
122      for a server, it will just disconnect.
123
124  3 - Relaxed PKI path validation
125      ---------------------------
126      This mode requires one or more X.509 CA certificates (or certificate chains)
127      in the form of a PEM file. All certificates must be valid. To specify CA
128      certificates, use -a <name_of_ca_PEM_file>.
129
130      Upon connection with a server, an encrypted TLS session is first eshtablished.
131      This yields the server's X.509 certificate which is validated using the
132      previously specified CA certificates. No certificate fields are used.
133
134  4 - Strict PKI path validation
135      --------------------------
136      This works like above mode, but the certificate information is verified as
137      follows:
138
139      If the X.509v3 subject alternative name extension is present, then
140      the DNS name and IP address fields will be matched against the server's.
141      If there is no subjectAltName extension the commonName (CN) will be
142      compared against the DNS name. If either check fail then the connection
143      will be terminated.
144
145      ## This is the proper way to use X.509 certificates ##
146
147  ---------------------------------------------------------------------------
148
149  Set the default security mode with -s <mode> or dynamically with
150  the connection string +<mode>user@host:port
151
152- All server certificates will be stored and loaded from a certs/ subdirectory
153  from where tlswrap is started. This directory is automatically created the
154  first time tlswrap is started. An alternative directory may be specified with -p
155  <other_certs_dir>, but this directory must already exist. If you make the
156  directory manually, remember to set proper access rights (probably chmod 700).
157
158- Added support for building a native Windows NT/2000/XP version, which resulted
159  in a major speed improvement compared to the previous Cygwin versions. The same
160  source now builds the UNIX versions, the Cygwin version and a native Windows
161  version using either "Intel(R) C++ Compiler for 32-bit applications,
162  Version 8.1" or "Microsoft (R) 32-bit C/C++ Optimizing Compiler Version
163  12.00.8804 for 80x86". It is still possible to build a Cygwin version, but as
164  before, the performance is abysmal.
165
166- The native Windows version now supports installing itself as a system service,
167  and thus it can be started automatically at system boot and run in the background.
168
169  The official TLSWrap Windows installer allows for easy installation and
170  removal of the TLSWrap service, but see below how to do it manually:
171
172  Use 'tlswrap -I <options>' to install TLSWrap as a service, to be
173  started with <options> on system boot. If the options contain spaces, enclose them
174  with ", e.g. 'tlswrap -I "-l 6000"'. To install with the default options, use the
175  command 'tlswrap -I ""'. The service is automatically started after installation.
176
177  Use "tlswrap -R" to stop (if it is running) and remove the TLSWrap service.
178
179- Misc TLS changes, including cached SSL sessions for data connections.
180
181- Decreased the data buffer size from 8192 bytes to 4096 bytes on the native
182  MS Windows version.
183
184- Fixed a nasty bug concering aborted connections versus TLS nonblocking
185  stuff.
186
187- Fixed an old but very simple bug that could case the program to loop if
188  the server dropped the connection.
189
190- Fixed a bug reported by Markus Jevring that caused TLSWrap to stall in
191  certain cases.
192
193- Fixed so that it is possible to combine user string tokens, for example
194  use #% to get "implicit SSL without data encryption" (yes, it's still a
195  horrible non-standard).
196
1970.8 test 2
198
199- Added a Windows installer.
200
201- AES 256-bit is the default cipher now (requires OpenSSL 0.9.7), RC4 is the
202  alternative choice.
203
2040.8 test 1
205
206- %user@host:port can now be used to connect with servers using
207  "implicit SSL", a non-standard that immediately expects a SSL/TLS
208  handshake on the control connection, for example "Serv-U FTP server" with
209  "Allow only SSL/TLS sessions". Originated as a patch from Serg Kastelli
210  <sk(at)online-web.net> (thanks) but was bugfixed and changed from beeing
211  a commandline option.
212
213- Set TOS types in IP headers, originally from Thomas Habets
214  <thomas(at)habets.pp.se> (thanks) but was changed to work with
215  more than Linux...
216
217- misc source cleanups
218
219- EPSV wasn't 100% working, fixed.
220
2210.7 final
222
223- fixed a possibly unitialized variable. if you got the error:
224  "bind: Permission denied" while using multiple sessions,
225  this is now fixed.
226- only had RSA ciphers on the default cipherlist, added a few DHE algos.
227- removed too much from the documentation last spring cleaning,
228  put them back now:
229
230        -c max
231                Maximum number of client connections to handle. Defaults
232                to 5.
233
234        -C list
235                Select permitted SSL ciphers each separated by a colon.
236
2370.7 beta4
238
239- reject possible AUTH commands sent before USER.
240- its possible to change the #, @ and : characters used to
241  separate the username, hostname and port and to disable
242  data encryption, see README for details.
243
2440.7 beta3
245- forgot to initialize a flag structure when reusing objects,
246  could probably cause a crash.
247- added -h argument to specify ip or hostname to bind the
248  listening socket. The default is now 127.0.0.1, so you
249  who used it remotely *MUST* specify another IP to listen
250  to!
251
2520.7 beta2
253- changed the buffer size to 8192 bytes.
254- don't mess with the TCP buffer sizes
255- oops, had an abort() left in the code, no wonder it coredumped...
256  should fix everyone's "crash" problems!
257- removed some unnecessary crap from tls.c
258
2590.7 beta1
260
261- added support for EPSV (Extended Passive Mode)
262- wait to forward the control channel until a \n is found, fixes a
263  bug with badly written ftp servers (hi glftpd-TLS) that send a
264  packet for each character!
265- don't try to calculate the max fd, just use FD_SETSIZE
266
267
2680.6
269
270- Use inet_addr() if inet_aton() doesn't exist.
271- Added support for a entropy gathering daemon.
272- Lots of changes to make it as portable as possible.
273
2740.6 pre3
275
276- Added a check for RAND_status() to the configure script to work with
277  OpenSSL 0.9.4. Other misc fixes and changes.
278
2790.6 pre2
280
281- If the username starts with #, only encrypt control channel (for "FXP"
282  or "ftp proxy" use).
283